CASL Update – Installing a Computer Program without Consent is now Illegal

As we previously reported in our October 2014 issue, the computer program provisions of Canada’s anti-spam law (“CASL”) came into force on January 15, 2015. While these provisions are commonly referred to as the malware or spyware prohibition, CASL goes beyond prohibiting the installation of malware or spyware to broadly regulate the installation of computer programs even where there is no inappropriate purpose. As such, any organization which offers software or mobile applications to their customers, on a stand-alone basis or as part of another product, should review their installation practices and develop a policy to ensure compliance with these CASL provisions. In developing a compliance policy, there are several factors to keep in mind.

Scope of Provisions

The computer program provisions capture the installation of a computer program on any other person’s computer device (e.g.: laptop, smartphone, desktop, gaming console or other connected device) located in Canada (or on a computer located outside Canada if the person causing the install is located in Canada) during the course of a commercial activity UNLESS that person’s express consent is obtained, there is a court order requiring the installation or the installation falls into the category of expressly allowed exceptions.

On November 10, 2014, the Canadian Radio-television and Telecommunications Commission (“CRTC”) released its guidance on the computer program installation provisions of CASL. The CRTC stated that the provisions do not apply to owners who download an app on their mobile devices, install software from a CD on their computer or accept a prompt to update an existing program.

However, if another program is installed at the same time, unbeknownst to the owner and such program performs certain functions (“Specified Functions”) that are beyond the reasonable expectations of the owner for such software, CASL will apply and there are enhanced consent requirements, as noted below (under “Form of Consent”). The Specified Functions are:

Collecting personal information;

Interfering with the owner’s control of the device;

Changing or interfering with the owner’s settings, preferences or commands without their knowledge;

Changing or interfering with the data stored on the device in a way that obstructs, interrupts or interferes with the owner’s access to data;

Causing the computer system to connect or send messages to other computer systems without the owner’s authorization;

Installing a computer program that may be activated by a third party without the owner’s knowledge; or

Other functions as prescribed by regulations (currently none).

In addition, upgrades and updates are not included in the exclusion for self-installed software – as such, if consent is not obtained at the time of installation, the person causing the installation of an upgrade or update will need consent at the time such upgrade or update is installed.

Form of Consent

The consent required by CASL is prior and express consent meaning that “opt-in” consent is required. In other words, the owner of the computer system must take positive steps to indicate their consent, such as “checking a box”. Therefore, a consent form with a box already checked or having consent for the installation of software bundled with other consent requests, would not be CASL-compliant. When seeking consent, the requesting party must state clearly and simply the function and purpose of the computer program that is to be installed, the purposes for which consent is being sought and prescribed information identifying the person seeking consent.

In addition, keep in mind the requirement that functions that are beyond the reasonable expectations of the owner must be disclosed at this time and have enhanced consent requirements. If the person seeking consent knows that the software will cause the computer system to operate in a manner that is contrary to the reasonable expectations of the owner and the software performs any of the Specified Functions, then the person seeking consent must:

Describe and bring to the attention of the owner, material elements of the software that perform the identified function and their reasonably foreseeable impact on the operation of the system; and

Obtain a written acknowledgement that the owner understands and agrees to the software performing the additional functions.

Failure to meet these additional function-based requirements leads to an obligation to assist the owner of the device to remove or disable the program at no cost and further leads to exposure for liability under the CASL penalty provisions described below.

The CRTC guidance materials provide the following example of the additional function-based consent requirements. A person develops a gaming app for a smartphone that also allows collection of information from the GPS, camera and microphone. This function would not normally be expected by the owner. As a result, the developer of the app would need to disclose the collection function and the purpose for which such collection is conducted apart from the license agreement and obtain express consent for such functions.[1]

Exceptions to Express Consent

CASL deems consent to have been given for certain types of computer programs if it is reasonable to believe that the owner consented to the program’s installation. These types of computer programs are: cookies, HTML code, Java Scripts, an operating system, any other program that is executable only through the use of another program whose installation or use the individual has previously expressly consented to or any other program specified in the regulations.

The regulations provide two exemptions for telecommunication service providers (“TSPs”). TSPs are not required to obtain consent to install a computer program to protect their networks from an imminent security risk and they are not required to obtain prior consent to install network wide software or system upgrades.

Updates will be exempt from the express consent requirements if the initial installation was installed with the required disclosure. However, no such exemption is provided for the Specified Functions and upgrades or updates to self-installed programs that perform one or more of the Specified Functions, will require consent in accordance with the CASL requirements.

Penalties and Enforcement

CASL contains harsh penalties, including administrative monetary penalties of up to $10 million for corporations and $1 million for individuals, as well as statutory damages of $1 million per day. In addition, CASL contains a private right of action allowing individuals and businesses to commence enforcement proceedings. This private right of action comes into force on July 1, 2017 and is expected to lead to class actions.

The CRTC has mentioned, in its guidelines regarding corporate compliance, that it may consider the existence of a corporate compliance program as meeting the requirement for a due diligence defense in response to an alleged violation of CASL[2]. As such, it is important for organizations to develop a compliance policy to reduce the chances of violating CASL and to show that the organization takes compliance seriously.

Transitional Provisions

CASL has a three year transitional period for computer programs installed prior to January 15, 2015. Until the earlier of January 15, 2018 or the date the recipient of the program provides notice that it no longer provides consent to the installation, consent will be implied for such programs. Note that installers of the program are required to be able to prove that the installation of the program occurred prior to January 15, 2015.